Home Computer Security and Privacy: Part One a presentation by Patrick Douglas Crispen Faculty Development Center California State University, Fullerton Richards Law of Computer Security Don't buy a computer. If you do buy a computer, don't turn it on. Source: http://virusbusters.itcs.umich.edu/um-resources/vbinterview.html
Clever, but false. The [social engineer] will talk someone into turning that computer on. Source: Mitnick, p. 7 Truths about computer security EVERY home computer and every operating system is vulnerable to attack. In the early days of home computing, solitary equaled safe [except from floppy viruses.] But the internet is a dark force multiplier. When you connect your home computer to the internet, the internet
connects to your home computer. Tick tock Once online, your computer is vulnerable to attack from viruses, worms, and even criminals. How long do you have between connection and attack? On average, 20 minutes. And if you have a cable or DSL connection, you have less time than that. Source: http://isc.sans.org/survivalhistory.php
How long do I have, doc? Source: http://isc.sans.org/survivalhistory.php Why me? Why is your home computer attacked? It is specifically targeted [HIGHLY unlikely.] It is a target of opportunity using a known exploit.
Common types of home computer security breaches Viruses, worms, and Trojan horses Zombieing Code exploits Malware [adware and spyware]
Man in the middle Combination attacks Impact of home computer security breaches Loss or compromise of your data Identity theft Loss of income Legal consequences Gloom, despair, and agony on me
Deep dark depression, excessive misery Scared yet? The internet can be a dangerous place for both computers and users. Fortunately, there are some simple ways to protect both your computer and yourself. Protection = Prevention +
[Detection + Response] Prevention is the mother of safety This workshop is about the first part of that equation: Prevention. We could spend weeks talking about detection and response. In fact, your local college has semester-long courses on that very topic. For home computer users, intrusion detection and response are just WAY too much work. But prevention is a [relative] snap.
Our goals Demonstrate why you need a firewall Show you how to deal with computer exploits Do all of this in ENGLISH! Coming soon to a theatre near you In part two of this workshop [coming soon], we Show you why an updated antivirus program is a necessity. Talk about how to kill spyware and other
malware. Find out how to block pop-up ads. Learn how to protect your privacy online. Short attention span summary To protect against worms and exploits [which is what were going to spend this entire presentation talking about], Use both a hardware and a software firewall. Run Windows Update/Apple Software Update at least weekly. Patch all of your software frequently.
Short attention span summary To protect against viruses, worms, and Trojan Horses [which well talk about in part two]: Install the latest antivirus software. Update your virus definitions several times a week. Never double-click on files attached to email messages. Turn off Windows file sharing. GET RID OF YOUR FILE SHARING PROGRAM! Short attention span summary To protect against malware [which well also talk about in in part two]:
Use a good anti-spyware program regularly. Think about ditching Internet Explorer. To protect your privacy [also in part two]: Disguise your data. Encrypt your data and communications. Erase your tracks. Watch out for social engineering attacks. Part One: Firewalls What they are and why you absolutely need one [well, actually, two] before you even THINK about connecting your
computer to the internet. Mmm worms and crackers. Connect to the internet and two things will quickly target and attack your computer: Worms and crackers. Worms are a type of computer virus that, using automatic file sending and receiving features built into most computers, tries to infect other computers [including yours] over a network. Many worms include backdoors that give crackers a way to easily break into your computer at a later date.
And if the worms dont get you, the crackers will. The cracker shibboleth People who know nothing about computers use the word hacker as a pejorative to describe a person who uses his skill with computers to try to gain unauthorized access to computer files or networks. [Source: Oxford English Dictionary] Cute, but wrong. Inside the computing world, however, the term hacker is highly complimentary, respectfully used to describe a person with an enthusiasm for programming or using computers as an end
in itself. [Source: Oxford English Dictionary] Hackers v. crackers In the computer world A "hacker" is a brilliant and respected computer programmer or technical expert. A "cracker" is someone who tries to break into your computer or files without your knowledge and/or permission. A large portion of the cracker community is made up of script kiddies, people who Use security-breaking scripts and programs
developed by others. In general do not have the ability to these scripts and programs on their own. [Source: Wikipedia] How crackers find you How do worms and crackers find your computer in the first place? Worms automatically/randomly search the internet looking for every unprotected computer they can find. Every semi-competent cracker and script kiddie has software that Scans thousands of internet connections looking for Windows file and printer shares.
Scans for known vulnerabilities, holes, and unsecured services in Windows, Mac OS, Linux, Apache, VM-CMS, etc. Exploits those known vulnerabilities. Cracks Windows passwords. And so on. Two types of attacks Most home computer attacks/intrusions are either Coordinated: Your computer is specifically targeted by a skilled cracker. Opportunistic: A worm or cracker finds your computer during a random scan of thousands of other
computers. Unless someone is after you, you dont have to worry about coordinated attacks. For home computer users, theyre few and far between. Besides, you cant really stop a coordinated attack. You can only delay it. Protecting your computer To protect your computer from opportunistic attacks besides being vigilant
with patch management hide your computer from the internet. If the worms and crackers cant see your computer, they [hopefully] wont attack you. How do you hide your computer? Use a firewall. What is a firewall? A firewall is either hardware or software that
stands between your computer [or home network] and its internet connection and provides access controlit determines what can and cannot pass. Its just like the firewall in your car. Your cars firewall keeps the bad stuff from your engine [like heat and exhaust] out of your passenger cabin. But it isnt impervious. It has holes in it to let the good stuff [like the steering column and the brakes] through. What is a firewall?
A good firewall, like your cars firewall, keeps the bad stuff out and lets the good stuff through. How? Well most consumer firewallsthe hardware firewalls [well, actually theyre routers] you can buy at Wal-Mart or Target or the software firewalls you can downloadoffer a combination of Computer stealththey hide your computer from the worms and crackers scans. Intrusion blockingthey make it harder [but not impossible] for worms and crackers to break in. IP addresses
When you connect your home computer to the internet, the internet connects to your computer. Every computer connected to the internet has its own, unique internet address [like 220.127.116.11 or 18.104.22.168] Your ISP automatically assigns the internet address to your computer from a pool of addresses the ISP maintains. When you disconnect [or at some regular interval with cable modem and DSL connections], that address goes back into the ISPs pool of addresses and is given to someone else.
If a cracker knows your internet address, he can probe your computer for vulnerabilities. NAT Hardware firewalls use something called Network Address Translation or NAT to hide your computer from the worms and crackers. You physically connect your home computer[s] to the firewall and connect the firewall to the internet. The firewallnot your home computer connects to the internet and is assigned a
publicly-visible internet address by your ISP. Hiding behind a wall of fire Your firewall automatically assigns your computer a private internet addresses. Only your firewall knows what your computers private address is. The private address is not visible to anyone on the Internet nor is it [directly] accessible from the internet. Since the worms and crackers cant see your computers address, it is harder for the worms and crackers to scan your computer for vulnerabilities. So, hopefully, the worms and crackers move on to
someone elses computer. Communicating with the Internet Your firewall becomes your computers intermediary on the internet. All traffic must go through it. When you request something from the internet, the firewall pretends that it made the request, not your computer. Keeping worms and crackers out Since the internet never even sees your
computer, theres nothing for the worms or crackers to probe or attack other than your firewall. And your firewall is just a dumb box. Stateful packet inspection In addition to using NAT to hide your computer, a firewall also uses stateful packet inspection or SPI to block intruders. It only allows connections that you originate. All other connections are automatically blocked at the firewall.
Why firewalls ROCK! IF YOU DONT HAVE A FIREWALL, YOUR COMPUTER WILL BE ATTACKED AND/OR COMPROMISED USUALLY WITHIN 20 MINUTES OF YOUR CONNECTING TO THE INTERNET. Firewalls protect your home computer from worms and crackers through a combination of Computer stealth using NAT. Intrusion blocking using stateful packet inspection. Gosh, is there anything firewalls cant do?
What a firewall cant do Well, actually, a consumer firewall cant Fix operating system or software vulnerabilities A firewall may block some exploits coming in from the internet, but the vulnerabilities will still be there Thats why patch management is so important Protect your computer from viruses A firewall may block internet worms, but it wont block viruses attached to emails, hidden in files you download from the internet or Kazaa, etc. Virus protection is a job for your antivirus program, not a firewall.
Theres more A consumer firewall also cant Protect your computer from spyware. Block pop-up ads. Block spam. Completely keep crackers out. Protect you from doing stupid stuff to your computer. But, if you are looking for simple computer stealth and basic intrusion blockingand trust me,
you areyou need a firewall. Dont I already have a firewall? How can you tell if you have a firewall and/or if it is working properly? Go to grc.com and run Shields Up. This is a free, online tool from security guru Steve Gibson. Shields Up checks file sharing, common ports, all service ports, messenger spam, and browser headers. If Shields Up can see you, so can the crackers.
You either dont have a firewall or it isnt configured properly. Which one? Should you get a hardware firewall or a software firewall? Yes. If you have a cable modem, satellite, or DSL connection, you need both a hardware firewall and a software firewall. If you have a dial-up connection, you only need a software firewall.
Why both? Hardware firewalls have an Achilles heel: they [for the most part] assume that ALL internet traffic originating from your computer is safe. But, if you accidentally double-click on a virusinfected file, Your computer will be infected with that virus. [Remember, hardware firewalls cant protect you from either viruses or doing stupid stuff.] That virus is more than likely going to try to use your computer and your internet connection to infect other computers. With their tanks, and their bombs,
and their bombs, and their guns So your computer is now a virus-spewing zombie. BUT, remember, your hardware firewall still trusts your computer. Your computer is flooding the internet with thousands of viruses, worms, or spams, and your hardware firewall doesnt notice, care, or even bother to tell you.
How software firewalls work Software firewalls [actually, personal software firewalls] Constantly run in the background. Block bad stuff from the internet [the stuff that somehow magically makes it past the hardware firewall.] Warn you when a program on your computer tries to access the internet. You decide whether or not that program will be allowed to access the internet.
So in our zombie example, the software firewallNOT the hardware firewallwould catch the flood of viruses before they even left your computer. In the simplest [grossly oversimplified] terms Hardware firewalls protect your computer from the internet. Software firewalls Are a second layer of defense behind your hardware firewall.
Protect both your computer from the internet AND the internet from your computer. Warn you when something fishy is happening on your computer. So now can you see why I recommend running both a hardware AND a software firewall? Hardware firewalls Now for the bad news: Hardware firewalls stand-alone boxes that do nothing but block intrudersare both complicated and expensive. Ciscos cheapest firewall [the PIX 501] is
approximately US$400 Source: pricewatch.com But two important features of hardware firewalls NAT and SPIare built into most hardware routers which are a LOT cheaper. Linksys Instant Broadband EtherFast Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint [BEFSX41] is approximately US$70 Source: pricewatch.com Over the router and through the woods
My suggestion? Before you connect your computer to the Internet, go to your nearest technology store or big box retailer. Buy a cable/DSL router from Linksys [my favorite], D-Link, Netgear, Belkin, or SMC for US$50-$75. Image courtesy Linksys.com
u:admin p:admin? Read the instructions that come with your router and CHANGE YOUR ROUTERS DEFAULT ADMIN USERID AND PASSWORD! Crackers know the default administrators userid and password for every router [and firewall and server and operating system and...] ever made. Check out http://www.phenoelit.de/dpl/dpl.html if you dont believe me. Software firewalls Now that I spent US$50 of your hard-earned money on a router, let me save you some
money. The four best software firewalls [in my humble opinion] are absolutely free. ZoneAlarm: http://www.zonelabs.com/ Sygate Personal Firewall: http://smb.sygate.com/products/spf_standard.htm Windows XP Service Pack 2 Internet Connection Firewall: built into Windows XP SP2 but NOT into previous versions of XP Mac OS X Firewall: built into Mac OS X Training your firewall You need to train the free version of ZoneAlarm
[and other software firewalls.] By default, ZoneAlarm blocks everything on your computer from accessing the internet. You have to manually tell ZoneAlarm which programs to let through. Fortunately, this is really simple to do: Just check out http://www.tinyurl.com/27wcz for instructions on how to install and train ZoneAlarm. XP Firewall Windows XP comes with its own firewall, so we XP
users can breathe easy, right? WRONG! If you have Windows XP Home or Professional, your built-in software firewall is both horrible and [most likely] disabled. XP Firewall BUT, if you download and install Windows XP service pack 2 from Windows Update, your new built-in software firewall is both
good and ON! Oh, and Windows 95, 98, 98SE, ME, 2000 do NOT come with a built-in software firewall. You need to download ZoneAlarm or Sygate Personal Firewall. To turn on XPs built-in firewall Go to Start > Control Panel Click on Network and Internet Connections or double-click on Network Connections. Right-click on your local area network and choose Properties.
Click on the Advanced tab. Check Protect my computer and network by limiting or preventing access to this computer from the Internet. Click on OK. To turn on OS-Xs built-in firewall Go to Apple menu > System Preferences. In Internet & Network, click on the Sharing folder icon. Click on the Firewall tab.
Uncheck any of the services you dont understand or want to run all the time. Then click on the Start button. Remember If you have a cable modem, DSL, or satellite connection, you need both a hardware firewall [in the form of a router]
and a software firewall. If you have a dial-up connection, you only need a software firewall. Done? Once youve installed a hardware and/or software firewall youre in the clear, right? Not exactly. Youre SIGNIFICANTLY better protected from exploits and network intrusions than most people, but theres still more you need to do.
Part Two: Exploits What they are, where they come from, and how to manage them What is an exploit? Until machines start taking over for humans, software bugs and glitches caused by simple human error will be the norm. Windows XP contains over 40 million lines of source code. Source: Wikipedia Could YOU write that many lines of code and not make a mistake?
An exploit is a program or technique used by a cracker to take advantage of software bugs or glitches in order to circumvent your computers security, often without your knowledge. Mmm freedom bread. A firewalled computer is a little like a loaf of French bread: crunchy on the outside and chewy on the inside. Firewalls protect your computer from worms and crackers, but not from [all] exploits. And EVERY operating system is
vulnerable to exploits. Some questionable stats from Secunia XP Professional 46 security advisories issued in 2003-2004 48% involved some sort of remote [online] attack. 46% involved granting system access to a cracker. Mac OS X 36 security advisories issued in 2003-2004 61% involved some sort of remote attack. 32% involved granting system access to a cracker.
Source: Secunia [as posted in http://slashdot.org/comments.pl?sid=113493&cid=9613964] XP v. Mac OS X So Windows is safer, and Mac OS X is less safe, than most people imagined, right? Not exactly. This is kind of like trying to scientifically measure which parent loves you more. Why you should question Secunias [and everyone elses] numbers
Different suppliers report vulnerabilities differently. A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. Unpatched vulnerabilities may go for months without the release of an official advisory. Source: http://slashdot.org/comments.pl?sid=113493&cid=9613823 Why you should question Secunias [and everyone elses] numbers
Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Some of the most common attackssuch as virusesrely on social engineering, and on "features" that are not classed as "vulnerabilities". Source: http://slashdot.org/comments.pl?sid=113493&cid=9613823
The truth of the matter Computer security isnt just a PC- or Mac-only problem. EVERY operating system and EVERY software application has vulnerabilities, especially online. Crackers can use these vulnerabilities to Read or even delete every file on your computer; Infect your computer with a virus;
Use your computer to attack another computer; or Do a whole bunch of other nasty things. But there are some simple ways to keep the crackers [especially the script kiddies] at bay. Signs your computer MAY have been exploited Spontaneous reboots Failed services, virus scanner disabled Sluggish behavior,
poor performance, slow logins Excessive disk or network activity (HD LED, Switch LED) Unknown user accounts Application and service errors Low disk space Subpoenas and search warrants
Your computer insists on playing global thermonuclear war. Source: Alex Keller, SFSU Symptoms v. the disease Just because your computer has one or more of these symptoms doesnt necessarily mean it has been exploited, though. Examples: Your computer suddenly reboots during a thunderstorm. Your network activity light goes supernova while you
are illegally downloading the latest DiVX movie. Your computer becomes sentient after you spill a Pepsi on the keyboard. Call my attorney! Ive been EXPLOITED! But if computer has been exploited, you need to Stop cussing. Immediately disconnect your computer from the internet. Identify the exploit. Close the hole.
Fix the damage. I feel so dirty. To identify the exploit: Reconnect to the internet, update your antivirus definitions, disconnect, and scan your entire hard drive. Reconnect to the internet, update your antispyware definitions, disconnect, and scan your entire hard drive. Write down the symptoms; reconnect to the internet; search Google, Symantec, or the Microsoft Knowledge Base; disconnect.
To close the hole, download and apply the appropriate patch from the manufacturers web site. Repairing the damage Repairing the damage from an exploit could be as simple as deleting or replacing corrupt data or as complicated as a deep-level format of your hard drive. The repair path depends on the exploit. This may be a job for a professional repair technician.
The BEST way to repair the damage caused by an exploit is to close the holes before they are exploited. Closing the holes When a vulnerability is found, operating system and software manufacturers [eventually/hopefully] release something called a patch. A patch is simply a software update meant to fix problems, bugs, or the usability of a previous version of an application. Source: Wikipedia Download and install the patch and your
computer is [hopefully] no longer susceptible to that particular vulnerability. Why are patches so important? When a new patch is released, an unintended consequence is that the bulletin announcing the patch also announces the vulnerability to crackers. Crackers count on the fact that you wont get the patchyour computer will continue to be vulnerable. And the time between bulletin and exploit is shrinking.
MS02-039 MS Security Bulletin: MS02-039 Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875) Originally Posted: July 24, 2002
Exploit: W32.SQLExp.Worm [a.k.a., SQL Slammer Worm] Exploit Discovered by Symantec January 24, 2003 on: Elapsed Time from Bulletin to Exploit: 184 days
MS04-011 MS Security Bulletin: MS04-011 Security Update for Microsoft Windows (835732) Originally Posted: April 13, 2004 Exploit:
W32.Sasser.Worm Exploit Discovered by Symantec April 30, 2004 on: Elapsed Time from Bulletin to Exploit: 17 days Patch or DIE! Notice a trend? Can you see why patch management is
so important? The time between bulletin and exploit is shrinking! She watch, she watch, she watch channel ZERO! In fact, zero-day exploitsexploits that take advantage of unknown operating system or software application vulnerabilitiesalready exist and more are coming. Crackers keep these zero-day exploits to themselves, using them to gain access or escalate privileges on a
small number of target systems. No one has released a Blaster- or Sasser-like zero-day exploit into the wildyet. You cant completely protect your computer from every exploit, but you can keep the exploits at bay by practicing simple patch management. Patch management Where do you start?
List EVERYTHING! Email client(s) Make a simple, Web browsers estimated time sheet Word processors showing the programs Chat programs you use each week Media players and how much time you use each Games
program. Patch management Dont forget to include your operating system and antivirus which [hopefully] are always running. Add those to the top of your list Sort your list by hours of use Thats your patch list, in order. How I use my home computer
Program Estimated Hours Per Week I Use That Program Microsoft Windows XP Pro SP 1 45 Hours Norton Antivirus 2004 45 Hours
Eudora Pro 6.1 30 Hours Microsoft Internet Explorer 6 SP 1 25 Hours Microsoft Word 2003 15 Hours Microsoft PowerPoint 2003
10 Hours Trillian 0.74 10 Hours Macromedia Dreamweaver MX 2004 10 Hours Mozilla Firebadger 0.9
5 Hours My patch list So my patch list, in order, would be 1. 2. 3. 4.
5. Microsoft Windows XP SP 1 Norton Antivirus 2004 Eudora Pro 6.1 Microsoft Internet Explorer 6 SP1 How to patch Windows When Microsoft finds a security hole in Windows or Internet Explorer, they [usually/eventually]
release a patch called a Critical Update. In Internet Explorer, go to Tools > Windows Update. Click on Scan for updates. How to patch Windows Download and install only the Critical Updates and Service packs. Ignore the other updates. Keep running Windows Update until it tells you
to go away. To see a complete catalog of all Microsoft Critical Updates for Windows 9X and NT, go to http://v4.windowsupdate.microsoft.com/catalog The NEW Windows Update There are now two Windows Updates: Version 4 for Windows 95, 98, 98SE, ME, and NT Version 5 for Windows XP and 2000 When you run Windows Update, Microsoft sniffs your computer and automatically
redirects you to the correct version. Mambo Number 5 When you run Windows Update v.5 on XP or 2000 for the first time, choose Express Install. This only gives you the critical updates and security updates. By default, Automatic Updates are turned on.
How to patch the Apple OS Apple menu > Software Update To get updates immediately: Choose System Preferences from the Apple menu. Choose Software Update from the View menu. Click Update Now. In the Software Update
window, select the items you want to install, then click Install. Image courtesy Apple.com Manually run Windows Update or Apple Software Update at least once a week. Your computer should, by default, automatically check for updates. Thats cool, but also run the update manually just to be safe.
To patch Microsoft Office In Windows XP or 2000, just run the new Windows Update. In older versions of Windows, go to officeupdate.microsoft.com and click on Check for Updates Mac users need to go to http://www.microsoft.com/mac/ downloads.aspx
Have your Office installation disk nearby in case the update needs to sniff the disk. Patching other programs through Check for Updates Open the program you want to patch and, under the Help menu, look for Check for Updates, Updates, Check for Upgrade, or something similar.
This will either Automatically check for and install any software patches you are missing Take you to a web site where you can download the necessary patches. Manually patching your software If the Help menu doesnt have a built-in update feature,
choose About [the name of the program] in the Help menu and write down the exact version number of the program. Usually its an integer and a combination of decimals [like 7.0.1] Go to the software manufacturers web site and look for Downloads,
Upgrades, Support, or something similar. Manually patching your software Compare your softwares version number to the version number available online. If the decimals of the online version number are larger than yours, download and install the appropriate patch. If the integer is larger, youll need to buy a new version of the program. Done?
Once youve installed a hardware and/or software firewall and [regularly] patched your operating system and programs youre in the clear, right? Not exactly. Youre certainly better protected from exploits than most people, but theres still more you need to do. Coming soon to a theatre near you In part two of this workshop [coming soon], we Show you why an updated antivirus program is a necessity.
Talk about how to kill spyware and other malware. Find out how to block pop-up ads. Learn how to protect your privacy online. Our goals Demonstrate why you need a firewall Show you how to deal with computer exploits Do all of this in ENGLISH! Home Computer Security and Privacy: Part One
a presentation by Patrick Douglas Crispen California State University, Fullerton Faculty Development Center